5 Valuable Contextual Data Sources for Small Businesses

Category

February 10, 2015By Lynne Gillespie

Data is Critical for Proper Information Security Monitoring. Researchers rely on data from multiple sources before they announce their findings at a worldwide conference. Doctors rely on data from multiple tests before they make a diagnosis. It’s difficult to get a comprehensive view of any situation without data – and not just one source. Multiple sources of data can help provide a better assessment of security posture. The more reliable the data, the better prepared you are.

“Are We as Secure as We Could Be?”
This question is asked not only by an organization’s IT department but by its leaders as well. Continuous monitoring of your information security infrastructure for contextual data - supplemental information security data retrieved from other critical assets - can help provide answers to that question.
What is Priority in Information Security Monitoring?
Information security data can be found within virtually all critical assets–servers, websites, applications, devices, and endpoints on a corporate network, however, all systems do not provide equally valuable security context. While monitoring each security system would be ideal, lack of time and resources make this impractical for most organizations. So what data sources should be prioritized to optimize information security monitoring efforts?
Continuous security monitoring and context are the keys to effective information security monitoring. The more relevant security context you have from other critical assets on your network, the more likely it is you will successfully detect real cyber security incidents while weeding out false positives (e.g. non-threats). In determining which devices and systems to monitor for security data, gathering the most useful context is top priority.
Dell SecureWorks recommends you take a look at the following as valuable data sources for contextual security data.

1. Network-Based Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS)
Network Intrusion Detection System and Network Intrusion Prevention System devices use signatures to detect information security events on your network. Performing full packet inspection of network traffic at the perimeter or across key network segments, most IDS/IPS devices provide detailed alerts that help to detect:

Known vulnerability exploit attempts

Known Trojan activity

Anomalous behavior (depending on the IDS/IPS)

Port and Host scans

2. Firewalls
Serving as the network’s gatekeeper, firewalls allow and log incoming and outgoing network connections based on your policies. Some firewalls also have basic IDS/IPS signatures to detect information security events. Monitoring firewall logs help to detect:

4. Network Devices with Access Control Lists (ACLs)
Network devices that can use ACLs, such as routers and VPN servers, have the ability to control network traffic based on permitted networks and hosts. Log Monitoring from devices with ACLs helps to detect:

New and unknown threats, such as custom Trojan activity

Port and Host scans

Minor anomalous behavior

Most anything denied by the ACL's

5. Server and Application Logs
Many types of servers and applications are able to log events such as login attempts and user activity. Depending on the extent of logging capabilities, monitoring server and application logs can help to detect:

Known and unknown exploit attempts

Password Grinding

Anomalous behavior by users or applications

Information Security Monitoring Value
It is important to understand that the incremental value of a data source will vary from situation to situation. A source’s purpose, its location in your network and the quality of the data it provides are a few of the many variables that must be considered when planning your continuous information security monitoring strategy.
By monitoring the assets that provide the highest value security context, you can optimize security monitoring efforts. Doing so will provide faster, more accurate detection of threats while making the most of your security resources.
Utilize Security Monitoring Best Practices
Security Monitoring is critical to all organizations whether you are a large corporation or a small business and it is never ending. Cyber threats do not take breaks and neither can you when it comes to your organization's information security. Are you using all of the security resources you currently have to its fullest capabilities? Are there areas that you are lacking when it comes to security monitoring?
Contact an Information Security Consultant at Dell SecureWorks to help implement security monitoring best practices for your organization today.